[dns-operations] Inconsistent NSEC response for unsigned zone from AWS
Matt Nordhoff
mnordhoff at gmail.com
Tue Jun 22 04:31:54 UTC 2021
On Tue, Jun 22, 2021 at 3:54 AM Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> On Tue, Jun 22, 2021 at 03:30:39AM +0000, Matt Nordhoff wrote:
>
> > > Indeed I see the same:
> > >
> > > $ dig +noall +dnssec +norecur +nocrypto +ans +auth +add -t NS corp.ibexglobal.com @ns-725.awsdns-26.net.
> > > corp.ibexglobal.com. 172800 IN NS ns-1415.awsdns-48.org.
> > > corp.ibexglobal.com. 172800 IN NS ns-1804.awsdns-33.co.uk.
> > > corp.ibexglobal.com. 172800 IN NS ns-29.awsdns-03.com.
> > > corp.ibexglobal.com. 172800 IN NS ns-945.awsdns-54.net.
> > > corp.ibexglobal.com. 86400 IN NSEC \000.corp.ibexglobal.com. RRSIG NSEC
> > > corp.ibexglobal.com. 86400 IN RRSIG NSEC 13 3 86400 20210623012420 20210621232420 36517 ibexglobal.com. [omitted]
> > >
> > > This violates <https://datatracker.ietf.org/doc/html/rfc4035#section-2.3>:
> >
> > I haven't spent the time to understand precisely what this thread is
> > talking about, but that's how NSEC white/black lies work. NS1 does the
> > same thing (give or take possible bugs) as AWS.
>
> No, there's a subtle difference, this qname actually exists, and has an
> NS RRSet. The NSEC bitmap needs to reflect this.
Ah, now I understand the issue, thank you.
I'm sorry if my previous email seemed glib. I didn't get enough sleep
to easily understand NSEC problems, but thought it was probably better
to reply now than to wait.
My email might still matter, but it's not relevant to this thread.
[FWIW, Cloudflare handles insecure referrals correctly, AFAIK. I have
no idea about NS1, but there's no reason to suspect anything.]
--
Matt Nordhoff
More information about the dns-operations
mailing list